New Delhi: Shivam Shankar Singh woke last month to an e-mail from an Indian government department. It had a name, address, mobile phone number and bank account with a code for money transfers and investments made in a dairy farm. None of the details were his.

The e-mail contained details submitted to a program that collects personal and biometric data, and was meant for someone from the eastern state of Bihar. Singh, a polling campaign manager for Prime Minister Narendra Modi’s Bharatiya Janata Party in Manipur, a state further east, rang the phone number listed on the e-mail but it didn’t work.

“That shook me,” said Singh, who posted about the incident on Twitter. The e-mail did not request information or ask him to click a link, suggesting it was not a phishing bid, so he did not report it to the police.

“It seemed like a fake identity was made up using my e-mail to corner government benefits,” he said. “Or it could’ve been a mistake. But I’m sure no one wants all his personal information leaked to strangers. And this is happening at a time when the government wants a cashless, digital India.”

The state entity that captures personal data said no information was leaked from its systems. The ministry of micro, small and medium enterprises, the department listed on the e-mail, said it has ordered an inquiry into the matter.

Whatever the circumstances, the episode raises fresh questions about the Unique Identification Authority of India. Better known as Aadhaar, which means “foundation” in Hindi, it was created in 2009 to identify citizens and ensure they receive state benefits in their bank accounts.

Aadhaar is getting more attention: Modi, who scrapped 86% of India’s currency in early November to curb the illegal hoarding of cash, has urged citizens to enroll. With a 12-digit number assigned to users, Aadhaar is key to Modi’s plan to move transactions online. He wants to make it compulsory.

The government is seeking to link the database, with information on about 88% of the population of more than 1.2 billion, including children, to all state services—from school admissions to passports and the purchase of cooking gas. In effect, it would create more large databases. But in a nation without an overarching privacy law, Indians have few options for redress in the event of identity theft or data leaks.

It’s an issue other countries are grappling with: The UK announced in 2010 it was scrapping a plan for a national identity register after objections that it infringed on civil liberties. France is debating a mega database for biometric details of citizens, citing the threat of terrorism. The US Federal Trade Commission said identity theft complaints were the second-most reported in 2015, rising more than 47% from 2014.

‘Every transaction’

“In India, you have the Aadhaar number doing the same thing as the social security number. It envisages to keep track of absolutely every transaction with government and private companies,” said Subhashis Banerjee, a professor at the Delhi-based Indian Institute of Technology. Banerjee and his team are awaiting peer reviews for a paper that examines ways to strengthen Aadhaar and its related systems, including appointing a third-party online auditor.

“You have to give the UIDAI credit for this incredible solution in an incredibly complicated country like India,” said Banerjee. “But with its vast amounts of data, the UIDAI needs more scrutiny.”

The program now has 582 banks, brokerages and government departments listed as registered users permitted to access Aadhaar’s data. Google Inc. estimates India’s digital payments industry will grow 10 times to $500 billion by 2020.

At the same time, private companies obtaining and offering services based on Aadhaar data have proliferated. The UIDAI said in a briefing this month it had shut 12 private websites and 12 mobile applications and was on the verge of closing 26 more for illegally obtaining Aadhaar numbers or enrolment details.

Lawyers arguing against Aadhaar in a bundle of cases—some oppose the whole program, others its expansion—in the nation’s highest court said last month the state’s policy of collecting data through private agencies raises privacy concerns.

The state says the identification cards “would only be issued on a consensual basis” and the “information shall however not be used for any purpose other than social benefit schemes,” court documents show.

“In any system there may be some errors and there have been some cases of misdemeanor in Aadhaar,” said Ajay Kumar, additional secretary at the information technology ministry, referring to the risk of data leaks by companies collecting data. “But the systems in place are very solid and the misdemeanors are statistically very small,” Kumar said.

“Because of one or two cases of misdemeanor we can’t discard the whole thing,” Kumar added.

Saving money

Modi opposed Aadhaar before coming to power, saying it violated national security and the privacy of citizens. Now, Aadhaar has become part of his push for cashless transactions in a nation where a quarter of the people can’t read or write but a third own phones that can be used for online transactions.

The database has multiple layers of technology and hasn’t received any complaint about security, said UIDAI chief executive officer Ajay Bhushan Pandey. Still, there is a need to monitor private databases created with Aadhaar data, he said.

More than 46 million people have joined the program since Modi’s cash ban. Aadhaar is now a requirement for state recruitment, and the Reserve Bank of India allows the use of Aadhaar to verify customers for new accounts. The Aadhaar-enabled payment system is linked to 119 banks with 338.7 million recorded transactions, Prasad said 27 January.

The UIDAI filed a police complaint claiming a breach of Aadhaar’s biometric verification by Axis Bank, Suvidhaa Infoserve and eMudhra, Mint and the Times of India reported last week. The alleged breaches may have occurred during systems testing, Mint added.

Axis Bank said in an e-mail it has blocked “business correspondent” Suvidhaa from accessing the UIDAI database after being alerted to an “alleged deviation from the protocols set by UIDAI.”

Lost data

Suvidhaa will be in a position on Monday to comment, a spokesperson said. eMudhra is not aware of any criminal complaint and has not received any communication from authorities, chairman V. Srinivasan said by e-mail. Pandey did not respond to calls outside of office hours seeking comment.

In April 2013, the western state of Maharashtra said it irretrievably lost the data of 300,000 citizens while uploading files to Aadhaar’s servers in Bangalore, according to a Times of India report.

Aadhaar’s central technology isn’t the biggest worry given the use of iris or finger scans, according to Amit Jaju, Mumbai-based executive director for fraud investigation and dispute services at Ernst & Young. Banks should be concerned about accounts created using Aadhaar databases and the potential for online fraud, he said.

Aadhaar is a “self-cleansing system” that will be audited by a state-run entity when the government asks for it, Pandey said. The government auditor, the Standardisation Testing and Quality Certification Directorate, certifies all hardware used to capture data but hasn’t yet audited its software and databases, he said.

PriceWaterHouseCoopers LLP manages cyber security checks for Aadhaar, it said in an e-mail.

Among the listed registered users of Aadhaar’s authentication are AuthBridge Research Services Pvt Ltd and Swabhimaan Distribution Services Pvt Ltd, which runs a mobile app called TrustID. Both use Aadhaar’s biometrics to help companies verify potential customers and employees.